Red Pill: own your data

Anonymous (not verified) - Thu, 01/09/2014 - 17:56

The state of the Internet of Things is bleak and it is looking to get a lot worse.

Sure, we are getting more connected devices at home: laptops, tablets, smartphones, fitness trackers... But the applications and services being used are gradually based on more and more sharing with third-party advertisers and aggregators to lock you in their ecosystem to make it more likely you will buy more of their stuff. And these devices only get more powerful with time, more apps, more complexity, more potential for adware, spyware and malware...

Although the consumer bought the device she actually has no control over it: you don't own the device, you are only licensed to use it under specific conditions defined by abusive End User License Agreements (EULA) and Terms of Services (ToS). This is planned obsolescence built-in to be triggered whenever the company chooses at any point without the obligation to offer any equivalent alternative.

Worse, if the company goes bust (Zeo, Greengoose, Nabaztag...) you are left with a "brick", your data history is lost forever, if it hasn't been stolen or resold.

So how can we redesign the current and future "Internet of Things" ecosystem to be favourable to us the users?

You're thinking "I don't care. I just want a new shiny wearable iPhad" Take your blue pill, close that tab and go back to what you were doing.

You're fed up? You want your data? You want to know what your apps are really up to? Take the red pill and keep on reading.

Take the Red Pill

Red Pill is more than a regular home Wi-Fi access point: it intercepts for you the data your connected devices are sending back to the cloud.

Plug it in one of the ethernet sockets of your home router, switch it on, and tell your devices (IoT, smartphones..) to use that new Wi-Fi access point.

By default, RedPill is transparent to your devices and cloud services, all it does is recording http and https traffic that passes through.

For example, when a Withings scale contacts the cloud, it looks like that in the console:

adding a short script to RedPill can target a specific POST request (in this case /measure) , extract the json data, dump it in a file and share it (or not) in your personal cloud with seafile or owncloud.

On top of that, RedPill can be setup to perform "server-side replays", that means you can tell it to impersonate cloud services so the IoT device or smartphone spills the data while it believes it is talking to the cloud, but the data never leaves your home! That's your data and privacy back in your hands!

One possible downside, there may be extra work with some of the raw intercepted data. You may need proprietary formulae for that data to become meaningful. For example in the case of the wi-fi scale, it returns a resistivity value instead of a calculated bodyfat value. Then it is up to you and the community to craft your own function to derive the measure. However this may allow users to develop functions that are a better fit to their own situation or health.

This setup has one big advantage over Wolfram and aggregated IoT/M2M visions: RedPill catches the data at the source instead of registering and dealing with broken/incomplete/obsolete/unavailable/paywall APIs!

Also future developments from Wolfram in the IoT field can be taken advantage of as Matematica is free and supported on the Raspberry Pi.

What if the app developers did not botch the security and encrypted the flow to their servers? The intercepting software mitmproxy can easily decrypt https traffic once you load its certificate on your smartphone.

For a smarter home Wi-Fi

Privacy, security and personal storage are a hard sell. It just appears easier and cheaper to a consumer to give it all up to freemium third party clouds.

RedPill or any similar appliance will never appeal to an average consumer if it does not have clear, distinct and immediate advantages over average routers and cloud services. So RedPill needs additional features to make it more attractive, these could be:

Why not use an app directly on the phone to extract and keep all that data? Simple answer: you would need to jailbreak/root the phone, write an app that does a similar job to mitmproxy and assume the phone is not already compromised and reports truthfully.